Blog

Transborder access to data - the Portuguese regulation

Published:
5/2/13 12:36 PM

1. It is commonly recognised, regarding cybercrime investigations, that one of the most important issues is the access to information stored outside the borders of the country that manages the investigation. Most of the concrete investigations require information physically stored in a computer in another country.

Obtain that kind of information in each particular case requires, from law enforcement agents, one of two possible procedures: the first one, as classically, is to request formally mutual legal assistance to the authorities of the other State; the second is to ask informally and directly the data to those who have the power of disposal of that information. The first option is, in most cybercrime investigations, requiring highly volatile evidence, unreal and useless, because it is longstanding, making it inefficient. On the other hand, the second option is not always covered by national laws, regarding both the way of obtaining the information and the validity of the obtained evidence.

2. The provisions of Budapest Convention already provide some help, on Article 32, allowing to obtain “open source” information and, above all, allowing the access to “non open” information if the authorised person to disclose it gives a proper consent. However, it is nowadays felt that this 2001 provision need to be updated to the “cloud” reality, as it is limited to information stored within one of the Parties of the Convention and the legal requirement of obtaining the consent reduce the practical scope of the rule.

3. Portuguese legal provisions don’t cover all the aspects on cross-border access to data, leaving a wide range of questions open to the jurisprudence discussion. However, some important solutions were already described on the Portuguese Cybercrime Law (Law 109/2009, from 15 September).

It is there recognised the need that law enforcement agencies, the prosecution service and the courts feel to access data stored somewhere, on the Internet, in another country or in a physically unknown place. Besides, the legal internal text translates to the domestic regulation Article 32 of Budapest Convention: it is thus allowed, according to Portuguese law, to a Portuguese officer, to obtain information outside the country, if it is openly obtainable, or if it was obtained the consent of the legally authorised person to disclose the data. On the other hand, it is permitted to an officer from any other country (being or not a Party to Budapest Convention) to obtain information physically stored in Portugal (Article 25 of Law 109/2009), in equivalent situations (“open source” or with consent of the authorised person). The law does not clarify some details, which are left to the jurisprudence, such as who is and where physically must be the authorised person. Anyways, Article 32 of Budapest Convention is fully covered by Portuguese law.

4. However, Article 32 does not allow any kind of coercive access to data, against the will of the owner of those data – in other words, obtaining evidence under Article 32 requires the voluntary cooperation of the person who has the power of disposal of it. Besides, Article 32 just entitles law enforcement from a State to obtain evidence if that State is a Party from Budapest Convention and the data are also located within the territory of a Party. These are serious limitations – in fact, these are the reasons why the Committee of the Cybercrime Convention (T-CY) is developing efforts in view of drafting some kind of additional instrument to the Convention, updating this particular detail.

5. Concerning this aspect, Portuguese law goes beyond Budapest. In fact, Portuguese internal rules allow law enforcement to virtually access data stored in any other country in the world, even if the actual location of the data is unknown. Article 15, paragraph 1, from the Cybercrime Law allows the judicial authority (the prosecutor, during the investigation and the judge after that) to authorise a search to a computer if, during the investigation, it becomes necessary to the collection of evidence. Furthermore, paragraph 5 of Article 15 allows the same authority to extend that search to another computer or another computer system, if there are reasons to believe that the sought information is stored in the other computer or computer system and if they are legally accessible from the initially searched computer or computer system. The clear inspiration of this provision is Article 19, paragraph 2 of Budapest Convention. However, there is a remarkable difference between the Convention and Portuguese law: Article 19 allows the extension of the search just within the borders of the Party; Portuguese law does not include any geographic limit and entitles the competent authorities to extend the search both to systems located within the Portuguese borders or outside them. The provision also covers situations when the location of the computer system or of the data are unknown.

6. In practical terms, the extension of Article 15, paragraph 5, envisages primarily searches to big computer systems (for example, searches to a particular department of a large company, which can then be extended to other computers in the same company in another physical location). But it also covers, for example, access to webmail accounts. In both cases, as mentioned, it applies to access systems physically located inside or outside the Portuguese borders if, of course, the initial access to the system was legally authorized.

According to this regulation, it is clear that Portuguese law enforcement agents can access data physically stored on a remote system, even if that system is physically abroad. There is no specific rule regarding the validity of the evidence obtained by this particular process but, in the absence of specific regulation, the general rule of Article 125 of the Criminal Procedure Code applies: all evidence is admissible if it is not prohibited by law.

7. A final note, regarding safeguards: according to Portuguese system, all the investigative powers belong to the prosecutor, including the power to authorise searches and seizure of computer data. However, if in such a search email communications or records of communications of similar nature are found, the intervention of the investigative judge is required, to validate the seizure (Cybercrime Law, Article 17). The same requirement applies when during the search it is found data which content is likely to disclose personal or intimate information, that would jeopardize the privacy of its owner or a third party (Cybercrime Law, Article 16, paragraph 3). In both cases, the submission of the obtained evidence to the investigative judge is required under penalty of nullity.

These points will also be taken up by the Cybercrime Convention Committee on 3-5 June 2013. The public hearing on 3 June should be of particular interest: T-CY transborder hearing. http://www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/T-CY/Public%20Hearing/TCY_Public_Hearing_en.asp

The Committee will then discuss the draft Guidance Note on Article 32 ( http://www.coe.int/t/dghl/cooperation/economiccrime/Source/Cybercrime/TCY/TCY%202013/TCY_2013_7E_GN3_transborder_V2public.pdf ) as well as decide on whether to prepare a Protocol ( http://www.coe.int/t/dghl/cooperation/economiccrime/Source/Cybercrime/TCY/TCY%202013/T-CY(2013)14transb_elements_protocol_V2.pdf ) to the Budapest Convention on transborder access.

We recognise that our legal solution has some gaps and unregulated points. I decided to share it as food for thought, in view of achieving, within T-CY/Transborder Group, better and more consolidated solutions to this problem. Hopefully, we can also find inspiration to obtain solutions to our internal gaps!

police officers are conducting a search in a person's house. They think it would be useful to check the person's Hotmail account. They find his or her password on a piece of paper somewhere in the apartment. The person refuses to let them have access to his or her Hotmail account. Let's suppose that MSN representation in Portugal doesn't agree to give emails' content unless the person agrees to it.What would happen under Portuguese law? Would the police officers be allowed to and search the emails, provided that we do know the data is stored, according to the US themselves, in the US?

Question 2 : same situation but police officers don't find the password in the house, but they somehow have the information (from a third person, for instance, or even from wiretapped conversations).

Discussion in France is emerging among judges and prosecutors about the application of article 32 and our national law, which specifies that we can access data abroad without asking the foreign state "sous réserve des conventions internationales en vigueur" (and the only applicable convention is the Budapest convention, which is not applicable to all states, and which requires more than national law, meaning consent ...).

I'm very interested in knowing what legal answers would be in the typical situation I have described, and which is not so uncommon for our police officers.

Regarding your questions, as I said, the rules are quite open and need clarification of the jurisprudence. None of your points are described in the legal text.

However, the general rules apply. For example, regarding your question 2, we don’t have a specific rule, but the general rule applies. And the general rule says that you should not obtain (and you cannot use in court) evidence in a tricky manner: evidence must be fairy obtained in any circumstance. That means, for instance, that if you obtained the password because you were looking to the screen, when the suspect was writing it, against his will, this is not fair.

But if you obtain the evidence lawfully and fairly, you can use it. In your case 1, if the police officers had a proper warrant to search the place, than, the piece of paper was lawfully obtained and they can use it to extend the search – and they need also a warrant for that.

This means that they can extend the search, but not to do it later, in another occasion – (here, again, general rules apply: a search cannot be repeated later, without a warrant).

Summarizing: in question 1, police officers (with a proper warrant), could extend the search and check the email account – they should do that proceeding like in a search, right in that moment and documenting the event. In question 2, it depends how they obtained the password. Anyways, they cannot access the account outside the scenario of a search.

thanks for your interesting reply Pedro. I am very interested in knowing what happens in such cases in other countries. Our case law too needs to clarify legal rules! Your reply concerning the extended search being done "on the scene" is actually very important I think. I tend to interpret our national law the same way. However, in more and more cases, investigators need time to search the computer and some just prefer not to "modify" anything on the scene, so they think they can just take the computer to their office and then quietly use the password and user name later on. I tend to believe we are on the same page in this situation. Another big matter for which legal training could be very useful in each of our countries!